In last week’s blog, we introduced the idea of designing and building your cybersecurity program for risk management and compliance. Let’s continue with some examples.
A Data Security Example
To illustrate how this all works, let’s consider how to control access to sensitive data, such as customer records.
Your policy would state: “All access to electronic customer records must be authenticated to individual users.”
Among other things, your Authentication standard would state: “Systems administrators accessing customer records must do so using two or more factors of authentication.”
Consistent with the policy and standards, the systems administrators would follow a procedure that describes on a step-by-step basis how to authenticate.
A very simple procedure would tell the administrator to insert their employee ID badge into the card reader, then enter their password when prompted.
To make sure only authorized people become a systems administrator, at a large company you would implement a process that requires four procedures performed by four different people, on four different teams:
- First, the user requests administrator access
- Team “A” would process their request for a privileged account
- Then, a manager reviews the request and either approves or denies it
- Finally, a member of team “B” creates the account and securely provides the requester with the login details
(You’ll want a simpler process at a smaller company. But even small companies should require authorization from two people to minimize the chance of violations.)
Benefits of This Program Design
There are at least four benefits from following this Policy and Compliance Architecture:
- First, you get better risk management. You’re not just managing the risk of failing an audit; real risks in your environment are well-managed. The audits you go through should prove your controls are working.
- In addition, this approach is more cost-effective. It reduces the temptation to make every separate compliance mandate a stand-alone activity. You do not need to reinvent the wheel for every audit, year after year. And, staff have a single program to follow.
- You also get a competitive advantage. Smart regulatory compliance strengthens customer relationships, as we previously learned.
- Finally, new compliance mandates become much easier and quicker to satisfy. This information security program design allows you to quickly take credit for everything you’ve already put in place. You just need to implement any new controls.
Ongoing Cyber Risk and Compliance Management
You may have conflicting compliance mandates, with one being more restrictive than another. If possible, manage your cybersecurity program by the most restrictive mandate. And let the real risk at hand guide you to a good decision.
Also, your requirements will eventually become stale. After all, your business changes every day, which can result in new customers, new systems, and staff turnover. As a result, documentation falls behind.
To manage this risk, I suggest you review your entire program design annually and make updates.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.